With summer now upon us, it seems that everyone is on vacation. Just take a quick look at the number of out-of-office (OOO) replies piling up in your inbox.
While the organization needs to adjust to conduct business as usual with 75% of the workforce in place, it is now even more prone to phishing attacks.
In the ever-evolving war between hackers vs. organizations, 3.4 billion phishing attacks are raining on us every day. Each attack is better than its previous one and the art of deception is rapidly advancing. With summer vacations on the rise, so are the OOO replies, turning summer into Christmas time for the hackers. That is because OOO replies provide these bandits with information to generate targeted phishing attacks.
While employees truly wish to remain diligent and not miss emails while away, each OOO reply inadvertently provides information about the mailbox owner, such as dates, forwarding contacts, alternative emails, phone numbers, titles, and possibly even vacation location details. Such information is “hacker heaven” as there are plenty of details to create advanced and personalized phishing attacks that may hit employees as soon as they return from vacation.
For example, a phishing attack may look like:
Good to have you back from your vacation. Hope you enjoyed it.
Just wanted to remind you that you need to update your security information.
Click Here to complete your process.
The SOC team.
The above example is only one out of thousands which shows how a personalized email may easily drive employees, who haven’t been trained for a while on phishing attacks, to click on a link that will cause a significant data breach. With today’s average cost of attack rising to $14.8M USD, rising from $3.8M USD in 2015, it is suggested that organizations increase their security awareness, especially now, during the summertime.
Here Are 3 Suggested Protective Measures for the Summer
The guidelines below assume that a security awareness program is already running. If employees are trained monthly to detect phishing attacks, this practice will prove itself once they come back from their vacation and sift through their inboxes.
1. Provide employees with guidelines on what to write and what not to in the OOO notification
Due to information shared in the OOO replies, which can increase the likelihood of personalized phishing attacks, create policies and guidelines as to what an OOO reply should be. While each organization conducts their own set of policies when it comes to cyber hygiene, we recommend that OOO replies should not include personalized forwarding emails, phone numbers or names. Rather, if it is necessary to use a forwarding email, consider using a dedicated mailbox address that may be deactivated short after. Do not state the reason for OOO or location of travels. Keep it short. Keep it safe.
2. Provide employees with summer guidelines for corporate device security
Employees traveling abroad, especially for a long vacation, may take their laptops or other corporate devices with them. Laptops may be stolen, or just forgotten in a random coffee shop and even without that risk, working conditions that lack security hygiene expose employees more than usual to unprotected public Wi-Fi networks, with higher chances of getting malware installed.
We recommend providing employees, right before traveling, with your policies on laptop security, the use of public Wi-Fi, which systems can be accessed using public Wi-Fi and how to check emails on non-personal devices.
3. Install Anti-phishing Software
To reduce the burden of phishing detection on employees, anti-phishing software can help. This software inspects the content of emails, websites, and other ways to access data through the internet and then warns the user of a threat. This safety net can also block likely phishing emails before they reach a person’s inbox.
Why running phishing simulations every month is important
Running phishing simulations continuously, at least once a month, provides a hands-on experience that is invaluable for learning and retaining good cyber habits.
Phishing simulations, especially those that are personalized, teach employees how to deal with phishing attacks through real-world practice, enabling greater retention. Such awareness training programs are most effective when they occur regularly and at greater frequency and focus on threats employees are most likely to face based on their job role, department, or location.
Organizations training their employees before the vacation season can rest assured that this knowledge will be retained throughout the summer.
When we face our common enemy, the hackers, we should not forget that they are advancing every single day. Only consistent training of your employees is the remedy to keep your organization safe.